How to Build a Highly Available Kubernetes Cluster with kubeadm on CentOS 7

When setting up a Kubernetes (k8s) cluster for production on local machines, it is recommended to deploy it with high availability (HA). This article demonstrates how to set up an HA Kubernetes cluster using the kubeadm utility.

Demo environment:

k8s-master-1 – CentOS 7 – 192.168.1.40 – 2 GB RAM, 2 vCPU, 40 GB disk

k8s-master-2 – CentOS 7 – 192.168.1.41 – 2 GB RAM, 2 vCPU, 40 GB disk

k8s-master-3 – CentOS 7 – 192.168.1.42 – 2 GB RAM, 2 vCPU, 40 GB disk

k8s-worker-1 – CentOS 7 – 192.168.1.43 – 2 GB RAM, 2 vCPU, 40 GB disk

k8s-worker-2 – CentOS 7 – 192.168.1.44 – 2 GB RAM, 2 vCPU, 40 GB disk

Note: the etcd cluster can also run outside the master nodes, but this tutorial installs etcd on the masters.

Minimum requirements for an HA K8s cluster:

Install kubeadm, kubelet and kubectl on all master and worker nodes

Network connectivity between masters and workers

Internet access on all nodes

Root credentials or a sudo‑privileged user on all nodes

Step 1. Set hostnames and update /etc/hosts

Run hostnamectl set-hostname "k8s-master-1" (repeat for each node). Then add the following entries to /etc/hosts on every node:

192.168.1.40   k8s-master-1
192.168.1.41   k8s-master-2
192.168.1.42   k8s-master-3
192.168.1.43   k8s-worker-1
192.168.1.44   k8s-worker-2
192.168.1.45   vip-k8s-master

The IP 192.168.1.45 (vip‑k8s‑master) will be used as the virtual IP for the kube‑apiserver load balancer.

Step 2. Install and configure keepalived and HAProxy on all masters

Install the packages: sudo yum install haproxy keepalived -y Create /etc/keepalived/check_apiserver.sh (script omitted for brevity) and make it executable:

sudo chmod +x /etc/keepalived/check_apiserver.sh

Backup and replace /etc/keepalived/keepalived.conf with the following content (master‑1 is MASTER, others will be SLAVE):

global_defs {
    router_id LVS_DEVEL
}
vrrp_script check_apiserver {
    script "/etc/keepalived/check_apiserver.sh"
    interval 3
    weight -2
    fall 10
    rise 2
}
vrrp_instance VI_1 {
    state MASTER
    interface enp0s3
    virtual_router_id 151
    priority 255
    authentication {
        auth_type PASS
        auth_pass P@##D321!
    }
    virtual_ipaddress {
        192.168.1.45/24
    }
    track_script {
        check_apiserver
    }
}

Copy check_apiserver.sh, keepalived.conf and haproxy.cfg to the other masters using scp and adjust the priority and state values (254 and 253, SLAVE).

Configure HAProxy on the first master (append the following to /etc/haproxy/haproxy.cfg after removing the default section):

frontend apiserver
    bind *:8443
    mode tcp
    option tcplog
    default_backend apiserver

backend apiserver
    option httpchk GET /healthz
    http-check expect status 200
    mode tcp
    option ssl-hello-chk
    balance roundrobin
    server k8s-master-1 192.168.1.40:6443 check
    server k8s-master-2 192.168.1.41:6443 check
    server k8s-master-3 192.168.1.42:6443 check

Enable and start the services on all masters:

sudo systemctl enable keepalived --now
sudo systemctl enable haproxy --now

Verify that the virtual IP (VIP) is active on the master‑1 node.

Step 3. Disable swap and set SELinux to permissive

sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config

Step 4. Install Docker (CRI) on all masters and workers

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce -y
sudo systemctl enable docker --now

Step 5. Install kubeadm, kubelet and kubectl

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
sudo systemctl enable kubelet --now

Step 6. Initialize the control plane on the first master

sudo kubeadm init --control-plane-endpoint "vip-k8s-master:8443" --upload-certs

Copy the generated admin.conf to the local user’s kube config:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Deploy Calico CNI:

kubectl apply -f https://docs.projectcalico.org/v3.14/manifests/calico.yaml

Step 7. Join the remaining master nodes

Run the kubeadm join … --control-plane … command printed by the init output on k8s-master-2 and k8s-master-3.

Step 8. Join worker nodes

Run the standard kubeadm join … command on k8s-worker-1 and k8s-worker-2.

Step 9. Verify the cluster

kubectl get nodes

All masters and workers should show Ready status.

Step 10. Deploy a test application

kubectl create deployment nginx-lab --image=nginx
kubectl scale deployment nginx-lab --replicas=4
kubectl expose deployment nginx-lab --name=nginx-lab --type=NodePort --port=80 --target-port=80
kubectl get svc nginx-lab

Access the service using any node’s IP and the assigned NodePort (e.g., http://192.168.1.44:31766).

Following these steps results in a fully functional, highly available Kubernetes cluster on CentOS 7.